Rolling-Code Remotes Make Replay Attacks Impossible — Fixed-Code Openers Are Clonable in Seconds
Claim: Pre-mid-1990s garage door openers transmit the same fixed radio code on every button press, which can be captured and replayed by any scanner. Modern openers use rolling-code technology (HCS301/KeeLoq or equivalent) that generates a one-time encrypted code on each press — even capturing the code makes it useless for future entry. Any opener with dip-switch programming is a fixed-code system and should be replaced if security matters.
Mechanism
How fixed-code systems are exploited:
Fixed-code openers encode access as a static binary sequence, typically set via physical dip-switches on the remote and receiver unit. The system accepts any transmission of that code. An attacker can:1
- Point a code-grabber (a scanner that records 315 MHz or 390 MHz RF transmissions) at the door from a parked car and capture the code when you use your remote
- Use a universal remote programmed to brute-force all possible dip-switch combinations — older 8-bit or 10-bit dip-switch systems have only 256–1,024 possible combinations, exhaustable in seconds
- Buy a second remote of the same model and set it to matching dip-switch positions
How rolling-code works:
The remote and receiver share a cryptographic key and a synchronized counter (implemented in chips like the HCS301 using KeeLoq encryption). Each button press generates a new encrypted code derived from the key + the current counter value. The receiver only accepts codes that:1
- Decrypt correctly using the shared key, AND
- Have a counter value within an acceptable window ahead of the last accepted value
Once a code is used, it is discarded. If an attacker captures a transmitted code, it has already been accepted by the receiver and will be rejected on the next attempt. The “RollJam” attack (jams the first press, captures code 1 and code 2, releases code 1 to the opener) is a real but complex attack requiring the attacker to be physically present with jamming + recording hardware during multiple button presses — far beyond opportunistic break-in.
How to tell which type you have:
- Dip-switch settings visible inside the remote battery compartment = fixed code, replace
- Remote labelled “Security+” (LiftMaster), “Intellicode” (Genie), or similar = rolling code
- Opener purchased or installed after approximately 1996 = very likely rolling code
- No visible switches but opener is clearly old = check the motor unit label for manufacture date
Scope
This idea covers the remote control / radio security layer only. It does not cover:
- The emergency release cord physical bypass (see Emergency-Release-Cord-Fishing-Attack (Home Systems))
- Keypad PIN security (change on move-in; do not use 0000 or 1234)
- Smart-opener Wi-Fi and account security (strong password + 2FA on the myQ/Genie app)
Idea Compass
North: Where this comes from
- KeeLoq cryptographic algorithm (Microchip Technology) — the rolling-code standard used in most residential openers
- Mid-1990s transition from mechanical dip-switch to rolling-code RF in the garage door opener industry
East: Tensions / failure
- Emergency-Release-Cord-Fishing-Attack (Home Systems) — rolling code stops remote replay but doesn’t help if the attacker uses a wire hanger on the release cord instead
- RollJam attack — active jamming-based rolling-code exploit; real but requires physical presence and equipment; not opportunistic
South: Where this leads
- garage-opener (Home Systems) — the one-time setup task: verify rolling-code, change keypad code on move-in
West: What’s similar
- Smart home lock PIN codes — same pattern: static code = clonable; rolling challenge-response = resistant
- WPA2/WPA3 vs WEP Wi-Fi security — same generation-shift pattern: older standard is cryptographically broken; replacement is standard in any new hardware
Sources
Footnotes
-
GateRemoteSource, electronics supplier — fixed code vs rolling code security; HCS301/KeeLoq; cloning methods for fixed-code (code grabber, brute force, universal remote); retrofit options for fixed-code systems — https://www.gateremotesource.com/en/blog/garage-door-remote-cloning-security-guide ↩ ↩2